Change how we set permission for config file
This commit is contained in:
parent
5814e62e55
commit
b33da5a6a3
GPG key ID:
19CB2C58E1F19B16
2 changed files with 36 additions and 10 deletions
|
|
@ -28,11 +28,9 @@ class podmanrunner::runner (
|
||||||
group => "root",
|
group => "root",
|
||||||
}
|
}
|
||||||
|
|
||||||
if $aaa {
|
$runnerdata.each |$user,$userdata| {
|
||||||
|
|
||||||
$runnerdata.each |$user| {
|
user { "${user}${userpostfix}":
|
||||||
|
|
||||||
user { "${user}${}":
|
|
||||||
ensure => present,
|
ensure => present,
|
||||||
home => "/opt/${user}${userpostfix}",
|
home => "/opt/${user}${userpostfix}",
|
||||||
shell => '/usr/sbin/nologin',
|
shell => '/usr/sbin/nologin',
|
||||||
|
|
@ -72,12 +70,14 @@ class podmanrunner::runner (
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
file { "/opt/${user}${userpostfix}/runnerdata/config.yml":
|
unless find_file("/opt/${user}${userpostfix}/runnerdata/config.yml") {
|
||||||
ensure => file,
|
file { "/opt/${user}${userpostfix}/runnerdata/config.yml":
|
||||||
source => 'puppet:///modules/podmanrunner/forgejo-runner-config.yml',
|
ensure => file,
|
||||||
owner => "${user}${userpostfix}",
|
source => 'puppet:///modules/podmanrunner/forgejo-runner-config.yml',
|
||||||
group => "${user}${userpostfix}",
|
owner => "${user}${userpostfix}",
|
||||||
mode => '0400',
|
group => "${user}${userpostfix}",
|
||||||
|
mode => '0400',
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Make sure the podman user can read the /data dir
|
# Make sure the podman user can read the /data dir
|
||||||
|
|
@ -89,6 +89,15 @@ class podmanrunner::runner (
|
||||||
unless => "systemd-run --wait --user --machine=${user}${userpostfix}@ /bin/bash -c 'podman unshare stat --format %u /opt/${user}${userpostfix}/runnerdata | grep ^1000$ && podman unshare stat --format %g /opt/${user}${userpostfix}/runnerdata | grep ^1000$'",
|
unless => "systemd-run --wait --user --machine=${user}${userpostfix}@ /bin/bash -c 'podman unshare stat --format %u /opt/${user}${userpostfix}/runnerdata | grep ^1000$ && podman unshare stat --format %g /opt/${user}${userpostfix}/runnerdata | grep ^1000$'",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Make sure the podman user can read the /data/config.yml file
|
||||||
|
exec { "podman-${user}${userpostfix}-own-runner-config":
|
||||||
|
command => "systemd-run --wait --user --machine=${user}${userpostfix}@ /bin/bash -c 'podman unshare chown 1000:1000 /opt/${user}${userpostfix}/runnerdata/config.yml'",
|
||||||
|
path => '/usr/bin:/usr/sbin:/bin',
|
||||||
|
provider => shell,
|
||||||
|
logoutput => false,
|
||||||
|
unless => "systemd-run --wait --user --machine=${user}${userpostfix}@ /bin/bash -c 'podman unshare stat --format %u /opt/${user}${userpostfix}/runnerdata/config.yml | grep ^1000$ && podman unshare stat --format %g /opt/${user}${userpostfix}/runnerdata/config.yml | grep ^1000$'",
|
||||||
|
}
|
||||||
|
|
||||||
exec { "enable-${user}${userpostfix}-linger":
|
exec { "enable-${user}${userpostfix}-linger":
|
||||||
command => "loginctl enable-linger ${user}${userpostfix}",
|
command => "loginctl enable-linger ${user}${userpostfix}",
|
||||||
path => '/usr/bin:/usr/sbin:/bin',
|
path => '/usr/bin:/usr/sbin:/bin',
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,17 @@
|
||||||
|
version: "3"
|
||||||
|
services:
|
||||||
|
actionrunner:
|
||||||
|
name: actionrunner
|
||||||
|
image: podmanrunner-3.3.0
|
||||||
|
build:
|
||||||
|
context: ./runnerimage
|
||||||
|
volumes:
|
||||||
|
- runnerdata:/data:Z
|
||||||
|
|
||||||
|
volume:
|
||||||
|
runnerdata:
|
||||||
|
driver: local
|
||||||
|
driver_opts:
|
||||||
|
device: /opt/runneruser1runner/runnerdata
|
||||||
|
o: bind
|
||||||
|
type: none
|
||||||
Loading…
Add table
Reference in a new issue